SYSTEM_BOOT_ENVIRONMENT_INFORMATION

The SYSTEM_BOOT_ENVIRONMENT_INFORMATION structure
is what a successful call to ZwQuerySystemInformation
or NtQuerySystemInformation produces in its output
buffer when given the information class SystemBootEnvironmentInformation
(0x5A).

Documentation Status

The SYSTEM_BOOT_ENVIRONMENT_INFORMATION structure
is not documented.

Layout

The SYSTEM_BOOT_ENVIRONMENT_INFORMATION is 0x20 bytes
in both 32-bit and 64-bit Windows 10. There is also a SYSTEM_BOOT_ENVIRONMENT_V1
structure that reaches only up to and including the FirmwareType.

Offset

Definition

0x00

GUID BootIdentifier;

0x10

FIRMWARE_TYPE FirmwareType;

0x18

ULONGLONG BootFlags;

The kernel learns the BootIdentifier from the loader
via the BootIdentifier member of the
LOADER_PARAMETER_EXTENSION.
Its retrieval through the SYSTEM_BOOT_ENVIRONMENT_INFORMATION
is how BCDEDIT knows which of the installed Windows systems actually got booted.

The FIRMWARE_TYPE enumeration is defined in WINNT.H
for user-mode programming. Its retrieval through the SYSTEM_BOOT_ENVIRONMENT_INFORMATION
is how NTDLL supports FIRMWARE_TYPE as a fake environment
variable. Programmers who think to use this structure and
NtQuerySystemInformation just to get the firmware type would better use the
documented KERNEL32 function GetFirmwareType instead.

The BootFlags are what the loader passes to the kernel
via the BootFlags member of the
LOADER_PARAMETER_EXTENSION. The 0x01 bit is understood well enough to describe
here. It is set when Windows booted with the following combination of BCD options:

bootmenupolicy is present and its value is not
Legacy;

safeboot is not present;

custom:16000071 is present and is non-zero.

This page was created on 9th July 2016 but was not published
until 29th October 2016. It was
last modified on 7th November 2016.